CVE-2024-22641 - TCPDF 6.6.5 and Earlier Versions Vulnerable to ReDoS Attacks through SVG File Parsing

CVE-2024-22641 has been identified as a vulnerability in TCPDF versions 6.6.5 and earlier. It exposes these applications to _Regular Expression Denial of Service (ReDoS)_ attacks when parsing untrusted SVG files. This post aims to discuss the vulnerability, provide code snippets, links to original references, and exploit details.

Vulnerability

TCPDF, a widely used PHP library for generating PDF files, comes bundled with an SVG file parser for importing and rendering SVG content within PDF documents. However, the SVG parser is susceptible to specially crafted SVG files, which can cause a ReDoS attack by exploiting the vulnerability in the regular expressions used for parsing.

A ReDoS attack typically involves an attacker submitting a carefully crafted input to a service, which forces the service to consume excessive amounts of processing time and resources while attempting to process the input. This can lead to the service becoming slow or completely unresponsive, affecting its availability.

Exploit Details

To exploit CVE-2024-22641, an attacker needs to create a malicious SVG file containing a crafted attribute value, which matches a specific vulnerability in one of the regular expressions used for parsing. The following code snippet shows an example of exploiting this vulnerability using a modified attribute value:

<svg xmlns="http://www.w3.org/200/svg">;
  <path d="M9,1a8,8,,1,1,-17,M12,1a11,11,,1,1,-22,M15,1a14,14,,1,1,-28,M18,1a17,20,,1,1,-35," style="fill: rgb(((((((((((((((100," />
</svg>

In this example, the style attribute contains 16 layers of nested parentheses, which will cause TCPDF's SVG parser to spend an excessive amount of time attempting to process the regular expression. This will lead to a ReDoS attack, causing the application to become unresponsive and negatively affect its availability.

Here are some links to original references that provide more information about CVE-2024-22641

1. CVE-2024-22641 - National Vulnerabilities Database (NVD)
2. TCPDF - Official Project Page
3. TCPDF SVG Parser - GitHub Repository

Mitigation

There is currently no official patch for this vulnerability. However, it is recommended to avoid processing untrusted SVG files or, if necessary, validating and sanitizing these files before parsing them with TCPDF.

Alternatively, consider upgrading to a more recent version of TCPDF or exploring alternative PDF generation libraries that do not have this vulnerability.

Conclusion

CVE-2024-22641 is a critical vulnerability in TCPDF versions 6.6.5 and earlier, which exposes applications to ReDoS attacks when parsing untrusted SVG files. Developers are recommended to avoid processing untrusted SVG files directly and implement input validation and sanitization measures. Keep an eye on the TCPDF project for any updates or fixes related to this vulnerability.

Timeline

Published on: 05/28/2024 21:16:29 UTC
Last modified on: 08/01/2024 22:51:10 UTC